1. Summary

2. Relevant releases

VMware Workstation 6.5.2 and earlier,VMware Player 2.5.2 and earlier,VMware ACE 2.5.2 and earlier

3. Problem Description

a. Third Party Library libpng Updated to 1.2.35

Several flaws were discovered in the way third party library libpnghandled uninitialized pointers. An attacker could create a PNG imagefile in such a way, that when loaded by an application linked tolibpng, it could cause the application to crash or execute arbitrarycode at the privilege level of the user that runs the application.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2009-0040 to this issue.The following table lists what action remediates the vulnerability(column 4) if a solution is available.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.5.x

Running on
any

Replace with/ Apply Patch
6.5.3 build 185404 or later

VMware Product
Player

Product Version
2.5.x

Running on
any

Replace with/ Apply Patch
2.5.3 build 185404 or later

VMware Product
ACE

Product Version
2.5.x

Running on
any

Replace with/ Apply Patch
2.5.3 build 185404 or later

VMware Product
Server

Product Version
2.x

Running on
any

Replace with/ Apply Patch
affected,no patch planned

VMware Product
Server

Product Version
1.x

Running on
any

Replace with/ Apply Patch
affected, no patch planned

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
4.0

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
4.0

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.5

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.3

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.2

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
2.5.5

Running on
ESX

Replace with/ Apply Patch
not affected *

* The libpng update for the Service Console of ESX 2.5.5 isdocumented in VMSA-2009-0007. This update is only relevant forESX 2.5.5 and not for other ESX versions.

b. Apache HTTP Server updated to 2.0.63

The new version of ACE updates the Apache HTTP Server on Windowshosts to version 2.0.63 which addresses multiple security issuesthat existed in the previous versions of this server.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the names CVE-2007-3847, CVE-2007-1863, CVE-2006-5752,CVE-2007-3304, CVE-2007-6388, CVE-2007-5000, CVE-2008-0005 to theissues that have been addressed by this update.The following table lists what action remediates the vulnerability(column 4) if a solution is available.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.5.x

Running on
any

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.5.x

Running on
any

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
2.5.x

Running on
Windows

Replace with/ Apply Patch
2.5.3 build 185404 or later

VMware Product
ACE

Product Version
2.5.x

Running on
Linux

Replace with/ Apply Patch
update Apache on host system *

VMware Product
Server

Product Version
2.x

Running on
any

Replace with/ Apply Patch
not affected

VMware Product
Server

Product Version
1.x

Running on
any

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
4.0

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
4.0

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.5

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.3

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.2

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
2.5.5

Running on
ESX

Replace with/ Apply Patch
not affected

* The Apache HTTP Server is not part of an ACE install on a Linuxhost. Update the Apache HTTP Server on the host system to version2.0.63 in order to remediate the vulnerabilities listed above.

4. Solution

Please review the patch/release notes for your product and versionand verify the md5sum and/or the sha1sum of your downloaded file.